Critical XSS vulnerability in Vue.js exposes more than one million developers
This framework has about one million users in the software development community, so an exploitation campaign could have been highly risky.
Although at first the researcher tried to privately notify Vue.js, after two weeks without receiving a response Jiantao Lin decided to try a more assertive approach and publish a vulnerability report and proof of concept (PoC) to a GitHub repository.
The researcher managed to get the attention of the cybersecurity community quickly, so just a few hours later the vulnerability had already been fixed.
The Starlabs report adds more details about the potential active exploitation of the vulnerability: “In devtools-background.js, there is an injection of code into the toast function; this condition could be triggered by postMessage from any tab, resulting in a universal XSS condition when opening browser development tools.” Apparently, a threat actor could host a website specially designed to exploit this vulnerability and subsequently trick the target user into entering that website and opening the development tools in other Chrome tabs.
Vue.js developers still need to respond to requests for information sent by various members of the cybersecurity community, so more details could be revealed during the next few days. For more information on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.
Originally published at https://www.securitynewspaper.com on February 2, 2021.